Threat actors lure unsuspecting users into running Trojanized gaming utilities. This utility is distributed via browsers and chat platforms and delivers a remote access trojan (RAT).
“A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “The downloader used PowerShell and resident binaries (LOLBins) such as cmstp.exe for stealth execution.”
This attack chain is designed to evade detection by removing the initial downloader and configuring Microsoft Defender exclusions for the RAT component.
Persistence is achieved through a scheduled task and a Windows startup script named “world.vbs” before the final payload is deployed to the compromised host. According to Microsoft, this malware is a “multipurpose malware” that functions as a loader, runner, downloader, and RAT.
When started, it connects to the external server at “79.110.49”.[.]15 inches for command and control (C2) communications. It can leak data and deploy additional payloads.
To protect against this threat, we recommend that users audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset active user credentials on compromised hosts.
This disclosure comes after BlackFog revealed details of a new Windows RAT malware family called Steaelite, which was first promoted on criminal forums in November 2025 as the “best Windows RAT” with “fully undetectable” (FUD) capabilities. Compatible with both Windows 10 and 11.
Unlike other off-the-shelf RATs sold to criminals, Staelite packages data theft and ransomware together into a single web panel, and an Android ransomware module is also in the works. This panel also incorporates various developer tools that facilitate keylogging, client-to-victim chat, file search, USB dissemination, wallpaper changes, UAC bypass, and Clipper functionality.
Other notable features include removing conflicting malware, disabling or configuring exclusions for Microsoft Defender, and installing persistence methods.
Key features of Steaelite RAT include support for remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, enumeration of installed programs, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.
“This tool gives operators browser-based control of infected Windows machines, covering remote code execution, credential theft, live monitoring, file exfiltration, and ransomware deployment from a single dashboard,” said security researcher Wendy McCaig.
“A single attacker can browse files, exfiltrate documents, collect credentials, and deploy ransomware from the same dashboard. This allows for complete dual extortion from one tool.”
In recent weeks, threat hunters have also discovered two new RAT families tracked as DesckVB RAT and KazakRAT. These enable comprehensive remote control over infected hosts and even selectively deploy post-compromise capabilities. KazakRAT is suspected to be the work of a state-affiliated cluster targeting entities in Kazakhstan and Afghanistan as part of an ongoing campaign that has been ongoing since at least August 2022, according to Ctrl Alt Intel.
Source link
